By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

A SAS 70 audit is a review of a service organization's policies, practices and security measures conducted by an independent auditor. SAS 70 audits have gained widespread usage among hosted IT service providers as a way to publicize security and accountability.

"Obviously, SAS 70 isn't the entire picture around security," said Drue Reeves, vice president and research director for cloud computing at the Utah-based Burton Group. "I see it more as about operations than about security."

SAS 70 auditing was a small step in the right direction, but it has no substantive value without full disclosure, said Reeves. SAS 70 procedures rely on a hand-picked set of goals and standards determined by the auditor and the auditee, which can vary widely. Further, completing an audit doesn't guarantee that a specific set of standards has been followed, which is the gist of the problem with announcments like these, he said.

Releasing the report is the only way for potential customers to complete accurate risk assessments on using AWS, a basic requirement for many enterprises and something competitors already do. Reeves said he's had no trouble getting in-depth, accurate information from other cloud providers and that Amazon will face increasing pressure to disclose operational information or risk losing ground to an expanding cloud computing marketplace.

"Transparency among providers is quickly becoming a market differentiator," he said. Reeves thinks it's Amazon's inexperience with the service business that has kept the iconic cloud service mute on details about hardware, software, personnel and polices that others readily share.

Reeves believes that Amazon is concerned that if it gives away the details, people will have more questions about security that could potentially drive customers away, when in fact it's just the opposite.

Transparency among providers is quickly becoming a market differentiator.Reeves, vice president and research director for cloud computing at the Burton Group,

Dr. Chenxi Wang, principal analyst at Forrester Research, also believes the reports should be public. Amazon has always been "weird" about revealing operational details, she said, even though customers and analysts are used to transparency in the hosting marketplace.

"Certain parts of the audit report may have touched on proprietary information," Dr. Wang said, "but a very large portion of that report should be able to be sanitized." What's more important is what a SAS 70 audit won't reveal, she added.

One of the major problems with a SAS 70 audit is that it doesn't cover major security weaknesses, said Wang. It's limited to policies and procedures inside the data center, which can leave out a lot.

"This type of vulnerability is not something SAS 70 addresses," Wang said. She also mentioned other serious weaknesses in SAS 70 audits, such as personnel who might unintentionally bring in malware on a laptop or how data gets from outside to inside a data center.

SAS 70 audits can, however, give a rudimentary idea of how a data center approaches security, but only if the report is made public, added Wang.

Some enterprises actually have "completed a SAS 70 Type II audit" as a line item requirement for hosting providers, Wang said, and she thinks Amazon's announcement may be suited to satisfying that checklist item. But it is a baby step in terms of either transparency or security certifications.

"I would like them to complete an ISO 27001 audit," she said. An ISO 27001 audit is much more comprehensive and expensive than a SAS 70 audit, and it doesn't stop at the data center.

In its defense, Amazon said it obtained the certification because its customers were asking for it. "We'll continue our efforts to provide the types of certifications that are important to our customers," Amazon spokesperson Kay Kinton wrote in an email.

Kinton wrote that the audit, carried out by Enrst & Young, was an "assurance that we've successfully been through a rigorous independent audit" on security and infrastructure. She added that any more details would only be released to customers under non-disclosure agreements with Amazon.

E-Handbook

0 comments

E-Mail

Username / Password

Password

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy